Skip to content

Authentication and RSS

RSS has grown up on the public Internet and it seems that authentication will be problematic when it moves into the Intranet.  On Intranets expect to find the following authentication mechanisms:

  1. NTLM
  2. kerberos
  3. Digest
  4. Forms based
  5. Basic (usually combined with SSL)

Only the last of these mechanisms can be assumed (with any confidence) to work with most desktop RSS readers and often web based readers often don’t even support that. 

The essential issue is that the web pretty much assumes that we can cope with all of these authentication mechanisms because all access is interactive, but with RSS it needs to be automatic and transparent.  The following issues spring to mind:

  1. NTLM – so far as I know is only supported by IE 7  and the Vista RSS platform and very few servers,  but if you are a Microsoft shop and are only connecting to SharePoint 2007 then this may work for you
  2. Kerberos – same as above, but probably even more demanding
  3. Digest – hardly ever used in my experience, either on client or servers, but I may be wrong and has the disadvantage that your username and password will need to be stored somewhere on the client, and many enterprise security policies don’t allow that
  4. Forms based – very popular server side, but no chance of supporting this in everyday RSS readers.  I have seen a hack which involves browsing to a web page from within the RSS reader, authenticating, getting the cookie and then synchronising your feeds.   VERY VERY messy
  5. Basic with SSL – very widely used, supported by most readers and RSS servers, but has the disadvantage that your username and password will need to be stored somewhere on the client, and many enterprise security policies don’t allow that

This leaves us with a problem.  If you are a Microsoft shop you might get away with a combination of 1,2 and 5.  If not then it looks like it’s time to start lobbying your security policy makers to allow Basic over SSL and local (encrypted) credential storage.

3 Comments

  1. Anonymous wrote:

    Steve, would you join me in demanding Basic over SSL for our company’s RSS on Discussions, etc.? Double logn just puts off most users :-(

    Sunday, October 8, 2006 at 1:14 PM | Permalink
  2. Anonymous wrote:

    I have started to lobby already without much success. It seems it’s very difficult to get anyone to take interest in taking an action that requires a debate relating to security policies.

    Maybe it’s a requirement that security professionals needs to be very inflexible, otherwise they would rarely achieve anything, I have personally considered every discussion with security a negotiation, hopefully with a win win outcome, but it’s not always easy to get the negotiation started.

    Sunday, October 8, 2006 at 2:56 PM | Permalink
  3. Anonymous wrote:

    Security should be part of rather than against Information Management. Too much of it destroys what is purports to protect. RSS is about spreading information; what is the point of producing corporate information and preventing its publication!? I am very security-minded but also passionate about the publish/subscribe paradigm. Recently I find that I’m getting somewhere in my Corporation. Could it be a mirage?

    Friday, November 3, 2006 at 8:43 PM | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*